Robert Fullagar CISSP CISM CRISC Clas CEH

1

• Robert Fullagar CISSP CISM CRISC Clas CEH

Security is everyones responsibility
2
Security Programme Structure and Methodology

• Contents
• People Structure
• Key positions
• Roles of individuals
• Methodology/Approach
• Deliverables

3
People
Senior Manager/Board Member
Business Representatives
Business Representatives
Business Representatives
Business Representatives
Senior Security SME
Programme Manager
Project Managers
Delivery Teams
External Resource
Security SME
4
Delivery Team Structure
Programme Manager
Security SME
Project Manager
Infrastructure Lead
External Resource
Doers
5
Other People
Security Architects
Legal Specialist
PMO Support
Technical Architects
Procurement
HR
Etc
6
Roles
Senior Manager/Board Member

• Influencer
• Has a vested interest in improving security
• Can keep the momentum going
• Able to procure budget

7
Roles
Business Representatives
Business Representatives
Business Representatives
Business Representatives

• Set/agree scope for the business area
• Set priority based on risk for the business area
• Monitor progress
• They are decision makers

8
Roles
Senior Security SME
Programme Manager
Project Managers

• Action the decisions of the business
  representatives
• Translate the business and technical requirements
• Bring resource and structure to deliver the scope
• Provide budgetary figures to the programme board
• Select and evaluate solutions

9
Roles
Delivery Teams
External Resource
Security SME

• These are the doers, the engine room
• The detail people, they bring to bear that
  detailed specific knowledge
• They do the actual work, hands on work
• They help make the projects boards scope a reality

10
Initiator

• Legislative
• Contractual
• External standards
• Business driver or direction
• Infrastructure replacement project
• Consolidate security in finished project
• Because its Best Practice

11
What happens when
Discovery 6-18 Months
Risk Assessment provides Input to phase 1
Phase 0
Phase 0 Eye on Phase 1 scope and long term
strategy
Foundation 18 months 2 years
Delivery phase 1 scope
Phase 1
Phase 1 Define long term strategy
Leverage 2-5 Years
Phase 2
Delivery phase 2 scope
BAU Security Cycle
12
Board Deliverables
Senior Manager/Board Member
Business Representatives
Business Representatives
Business Representatives
Business Representatives

• Phase 0 - Scope
• Business area
• Drivers why
• Financial commitment
• Time and resource commitment
• Draft strategy

13
Programme Deliverables
Senior Security SME
Programme Manager
Project Managers
Delivery Teams
External Resource
Security SME

• Phase 0
• Plan Resource and tasks
• Budget /- 100
• Approach
• Quick wins
• Minimal cost
• Risk Assessment

14
Board Deliverables
Senior Manager/Board Member
Business Representatives
Business Representatives
Business Representatives
Business Representatives

• Phase 1
• Priorities the items from the risk assessment
• Financial support
• Allocate and commit resource
• Long term strategy

15
Programme Deliverables
Senior Security SME
Programme Manager
Project Managers
Delivery Teams
External Resource
Security SME

• Phase 1
• Risk assessment
• Proposals to remediate
• Accurate costs
• Plan, time and resource
• Deliver agreed scope

16
Summary
Phase 0

• Phase 0
• Business Driver
• Vision
• Initial Budget
• Commitment

Board
Programme
17
Summary
Phase 0

• Phase 0
• Plan
• Budget
• Approach
• Quick wins

Board
Programme
18
Summary
Phase 1
Board
GO
19
Summary
Phase 1

• Phase 1
• Risk Assessment
• Remediation actions
• Budget to remediate
• Outline plan

Board
Programme
20
Summary
Phase 1

• Phase 1
• Priorities Risks
• Financial support
• Commitment
• Agree plans

Board
Programme
21
Summary
Phase 1
Board
Long term strategy
22
BAU Security
Plan
Do
Act
Check
23
Thank You

• Questions